From 6eef3264c5891520828c756661ce3da8d739a67f Mon Sep 17 00:00:00 2001
From: Sonia Zorba <sonia.zorba@inaf.it>
Date: Sat, 28 Nov 2020 10:12:09 +0100
Subject: [PATCH] SKADC version support

---
 .../it/inaf/ia2/gms/authn/ClientDbFilter.java | 10 +-
 .../inaf/ia2/gms/authn/ClientDbRapClient.java | 98 +++++++++++++++++++
 gms/src/main/resources/application.properties | 10 --
 gms/src/main/resources/auth.properties        | 23 +++--
 .../ia2/gms/authn/ClientDbFilterTest.java     |  8 +-
 5 files changed, 121 insertions(+), 28 deletions(-)
 create mode 100644 gms/src/main/java/it/inaf/ia2/gms/authn/ClientDbRapClient.java

diff --git a/gms/src/main/java/it/inaf/ia2/gms/authn/ClientDbFilter.java b/gms/src/main/java/it/inaf/ia2/gms/authn/ClientDbFilter.java
index 526ffac..ecd6e49 100644
--- a/gms/src/main/java/it/inaf/ia2/gms/authn/ClientDbFilter.java
+++ b/gms/src/main/java/it/inaf/ia2/gms/authn/ClientDbFilter.java
@@ -1,7 +1,7 @@
 package it.inaf.ia2.gms.authn;
 
 import it.inaf.ia2.aa.AuthConfig;
-import it.inaf.ia2.rap.client.RapClient;
+import it.inaf.ia2.aa.UserManager;
 import java.io.IOException;
 import java.net.URI;
 import javax.servlet.Filter;
@@ -15,11 +15,11 @@ public class ClientDbFilter implements Filter {
 
     public static final String CLIENT_DB = "client_db";
 
-    private final RapClient rapClient;
+    private final UserManager userManager;
     private final String defaultJwksUri;
 
-    public ClientDbFilter(AuthConfig authConfig, RapClient rapClient) {
-        this.rapClient = rapClient;
+    public ClientDbFilter(AuthConfig authConfig, UserManager userManager) {
+        this.userManager = userManager;
         defaultJwksUri = URI.create(authConfig.getRapBaseUri()).resolve(authConfig.getJwksEndpoint()).toString();
     }
 
@@ -32,7 +32,7 @@ public class ClientDbFilter implements Filter {
         if (clientDb != null) {
             request.getSession().setAttribute(CLIENT_DB, clientDb);
             String newUrl = defaultJwksUri.replaceAll("\\?client_name=(.*)", "?client_name=" + clientDb);
-            rapClient.addJwksUri(URI.create(newUrl));
+            userManager.addJwksUri(URI.create(newUrl));
         }
 
         fc.doFilter(req, res);
diff --git a/gms/src/main/java/it/inaf/ia2/gms/authn/ClientDbRapClient.java b/gms/src/main/java/it/inaf/ia2/gms/authn/ClientDbRapClient.java
new file mode 100644
index 0000000..0173665
--- /dev/null
+++ b/gms/src/main/java/it/inaf/ia2/gms/authn/ClientDbRapClient.java
@@ -0,0 +1,98 @@
+package it.inaf.ia2.gms.authn;
+
+import static it.inaf.ia2.gms.authn.ClientDbFilter.CLIENT_DB;
+import it.inaf.ia2.gms.exception.BadRequestException;
+import it.inaf.ia2.rap.client.call.GetUserCall;
+import it.inaf.ia2.rap.data.RapUser;
+import java.net.URI;
+import java.net.http.HttpRequest;
+import java.util.List;
+import java.util.stream.Collectors;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class ClientDbRapClient extends ServletRapClient {
+
+    private static final Logger LOG = LoggerFactory.getLogger(ClientDbRapClient.class);
+
+    public ClientDbRapClient(String baseUrl) {
+        super(baseUrl);
+    }
+
+    @Override
+    protected HttpRequest.Builder newAuthRequest(HttpRequest.Builder requestBuilder, HttpServletRequest request) {
+        return setClientDb(super.newClientSecretRequest(requestBuilder), request);
+    }
+
+    @Override
+    public HttpRequest.Builder newRequest(String endpoint, HttpServletRequest context) {
+        return setClientDb(super.newRequest(endpoint), context);
+    }
+
+    @Override
+    public HttpRequest.Builder newRequest(URI uri, HttpServletRequest context) {
+        return setClientDb(super.newRequest(uri), context);
+    }
+
+    private HttpRequest.Builder setClientDb(HttpRequest.Builder builder, HttpServletRequest request) {
+        HttpSession session = request.getSession(false);
+        if (session != null) {
+            String clientDb = (String) session.getAttribute("client_db");
+            if (clientDb != null) {
+                builder.setHeader("client_db", clientDb);
+                LOG.debug("client_db=" + clientDb);
+            }
+        }
+        return builder;
+    }
+
+    @Override
+    public URI getAuthorizationUri(HttpServletRequest request) {
+        // for a better security we should check for allowed redirects
+        String redirect = request.getParameter("redirect");
+
+        URI uri;
+        if (redirect != null) {
+            uri = URI.create(redirect);
+        } else {
+            uri = super.getAuthorizationUri(request);
+        }
+
+        String clientDb = request.getParameter(CLIENT_DB);
+        if (clientDb == null) {
+            HttpSession session = request.getSession(false);
+            if (session != null) {
+                clientDb = (String) session.getAttribute(CLIENT_DB);
+            }
+        }
+        if (clientDb == null) {
+            throw new BadRequestException("client_db not set");
+        }
+
+        redirect = uri.toString();
+
+        redirect += redirect.contains("?") ? "&" : "?";
+        redirect += CLIENT_DB + "=" + clientDb;
+
+        return URI.create(redirect);
+    }
+
+    @Override
+    public URI getAccessTokenUri(HttpServletRequest request) {
+        String tokenUri = request.getParameter("token_uri");
+        if (tokenUri != null) {
+            return URI.create(tokenUri);
+        }
+        return super.getAccessTokenUri(request);
+    }
+
+    @Override
+    public List<RapUser> getUsers(String searchText, HttpServletRequest request) {
+        List<RapUser> users = new GetUserCall(this).getUsers(searchText, request);
+        return users.stream()
+                .filter(u -> u.getDisplayName().contains(searchText) || u.getPrimaryEmailAddress().contains(searchText))
+                .collect(Collectors.toList());
+    }
+}
diff --git a/gms/src/main/resources/application.properties b/gms/src/main/resources/application.properties
index 204831f..2f04083 100644
--- a/gms/src/main/resources/application.properties
+++ b/gms/src/main/resources/application.properties
@@ -4,14 +4,6 @@ server.servlet.context-path=/gms
 spring.main.allow-bean-definition-overriding=true
 server.error.whitelabel.enabled=false
 
-security.oauth2.client.client-id=gms
-security.oauth2.client.client-secret=gms-secret
-security.oauth2.client.access-token-uri=http://localhost/franco/fake-rap/token.php
-security.oauth2.client.user-authorization-uri=http://localhost/franco/fake-rap/index.php
-security.oauth2.resource.token-info-uri=http://localhost/franco/fake-rap/check-token.php
-security.oauth2.client.scope=openid,email,profile
-security.oauth2.resource.jwk.key-set-uri=http://localhost/franco/fake-rap/jwks.php
-
 logging.level.it.inaf=TRACE
 logging.level.org.springframework.security=DEBUG
 logging.level.org.springframework.jdbc=TRACE
@@ -21,8 +13,6 @@ spring.datasource.url=jdbc:postgresql://localhost:5432/postgres
 spring.datasource.username=gms
 spring.datasource.password=gms
 
-rap.ws-url=http://localhost/franco/fake-rap/get-users.php
-rap.ws.basic-auth=true
 support.contact.label=IA2 team
 support.contact.email=ia2@inaf.it
 
diff --git a/gms/src/main/resources/auth.properties b/gms/src/main/resources/auth.properties
index ff3fda0..4f14c15 100644
--- a/gms/src/main/resources/auth.properties
+++ b/gms/src/main/resources/auth.properties
@@ -1,12 +1,17 @@
-client_id=gms
-client_secret=gms-secret
-rap_uri=http://localhost/rap-ia2
-jwks_endpoint=/auth/oidc/jwks
-access_token_uri=http://localhost/rap-ia2/auth/oauth2/token
-user_authorization_uri=http://localhost/rap-ia2/auth/oauth2/authorize
-check_token_uri=http://localhost/rap-ia2/auth/oauth2/token
-jwks_uri=http://localhost/rap-ia2/auth/oidc/jwks
-gms_uri=http://localhost:8082/gms/ws/jwt
+client_id=
+client_secret=
+
+rap_uri=https://auth.inaf.it/auth/prod/
+
+access_token_endpoint=accessToken/
+user_authorization_endpoint=authorization/
+check_token_endpoint=userInfo/
+jwks_endpoint=jwks?client_name=ia2gms
+rap_ws_user_endpoint=portal/SendUsers.php/user
+
+rap_client_class=it.inaf.ia2.gms.authn.ClientDbRapClient
+
+gms_uri=https://sso-devel.ia2.inaf.it/gms
 groups_autoload=false
 store_state_on_login_endpoint=true
 scope=openid email profile read:rap
diff --git a/gms/src/test/java/it/inaf/ia2/gms/authn/ClientDbFilterTest.java b/gms/src/test/java/it/inaf/ia2/gms/authn/ClientDbFilterTest.java
index 171d050..fe5245a 100644
--- a/gms/src/test/java/it/inaf/ia2/gms/authn/ClientDbFilterTest.java
+++ b/gms/src/test/java/it/inaf/ia2/gms/authn/ClientDbFilterTest.java
@@ -1,7 +1,7 @@
 package it.inaf.ia2.gms.authn;
 
 import it.inaf.ia2.aa.AuthConfig;
-import it.inaf.ia2.rap.client.RapClient;
+import it.inaf.ia2.aa.UserManager;
 import java.net.URI;
 import javax.servlet.FilterChain;
 import javax.servlet.http.HttpServletRequest;
@@ -26,7 +26,7 @@ public class ClientDbFilterTest {
     private AuthConfig authConfig;
 
     @Mock
-    private RapClient rapClient;
+    private UserManager userManager;
 
     private ClientDbFilter filter;
 
@@ -38,9 +38,9 @@ public class ClientDbFilterTest {
         when(request.getSession()).thenReturn(mock(HttpSession.class));
         when(request.getParameter(eq("client_db"))).thenReturn("other_db");
 
-        filter = new ClientDbFilter(authConfig, rapClient);
+        filter = new ClientDbFilter(authConfig, userManager);
         filter.doFilter(request, mock(HttpServletResponse.class), mock(FilterChain.class));
 
-        verify(rapClient).addJwksUri(eq(URI.create("http://ia2.inaf.it/jwks?client_name=other_db")));
+        verify(userManager).addJwksUri(eq(URI.create("http://ia2.inaf.it/jwks?client_name=other_db")));
     }
 }
-- 
GitLab